Laptop Security Turns On 65-Cent Solution

High-tech measures give way to simple locks

Washers - those little circular pieces of metal with a hole in the middle designed to help bolts grip a surface without damaging it - have nothing to do with IT security, right?

Well, I hope they do, because I just persuaded my company to buy 1,000 of them.

We have a fair number of laptops sprinkled around the company, mostly among senior managers and salespeople, and every so often, one of them goes missing. The cost of replacing the hardware is a relatively minor problem, but the data on the laptops is another thing entirely.

Our data may not be quite as sensitive as the data on the laptops at MI6, the British intelligence agency, but it's still quite valuable to certain people.

1pixclear.gif
1pixclear.gif
1pixclear.gif

THIS WEEK'S GLOSSARY

SmartWater: SmartWater Europe Ltd.'s nonconductive liquid, when painted on objects, provides a unique "fingerprint" that works in a way similar to DNA profiling. Recovered devices can be easily identified by a unique code embedded in the liquid, which the company stores in a central database. The British government's Forensic Science Service manufactures the product under license.

LINKS:

This white paper describes Microsoft Corp.'s Encryption File System, which is included in Windows 2000.

PGP Security, a subsidiary of Network Associates Inc. in Santa Clara, Calif., is the source for downloading PGP encryption software. Both a free downloadable version for personal use and a commercial version are available.

SmartWater Europe's Web site contains information on several products that use SmartWater security identification technology.

Atlanta-based Internet Security Systems' home page includes information on RealSecure security management tools and SafeSuite scanning software.

One example of the many sources for physical laptop security devices. Nashua, N.H.-based Computer Security Products Inc.'s Web site has one of the more interesting product names: the Smith & Wesson Laptop Kit.

1pixclear.gif

We're investigating laptop-encryption products at the moment, but in the meantime, we've been trying to find a way to physically protect the laptops to make them slightly less vulnerable to loss or theft in the first place.

Protection Racket

The first thing to do was to buy security cables. These are simple things - wrap the cable around the leg of your desk, then secure one end to your laptop using the lock provided. Of course, nothing is quite this simple in real life, and we've already had to deal with lost keys and reluctant staff. The trickiest problem we've faced with this involves our "deluxe" desks.

These desks, used by senior managers and some of the salespeople, don't have exposed legs, so there's nowhere to attach the security cables. This problem went round and round for a while until it reached someone with enough common sense to solve it - unusually, a very senior manager. Even the deluxe desks have a cable hole in one corner, since everybody in the company uses a computer of some sort. The simple solution was to create a metal ring with a diameter larger than that of the cable hole. You attach the security cable to your laptop, pass the cable through the cable hole, then attach it to the ring, which can't pass through the hole. Simple, n'est-ce pas?

Unfortunately, it's taken me about three months to get this simple solution put into practice. We spoke to our facilities team, explained the problem and our suggested solution and asked them to sort it out for us.

One member of the facilities team e-mailed back explaining that what we really needed were security cables for the laptops, and he helpfully gave us contact details for a supplier. I explained that we already had cables but needed a way of attaching them to deluxe desks. The facilities person eventually understood the problem and asked us to call the facilities help desk.

He even forwarded his e-mail to the help desk, which responded with a simple answer in a matter of days. The suggestion? "Buy a laptop security cable. . . . "

We explained the situation calmly and patiently to the help desk. In retrospect, the calm patience may have been a mistake, because I'm reasonably sure that a short bout of bad-tempered shouting would probably have got the whole situation resolved much more quickly.

Once they understood the problem, the help desk staffers farmed the job out to the design team. But the designers didn't understand, so we explained it to them as well.

Two days later, I arrived at my desk to find a security cable wrapped round the exposed leg of my (standard-issue) desk and a quizzical e-mail from facilities wondering what the problem was. They failed to understand the problem over the phone and said they would come by my desk and talk it through face to face.

The commonsensical senior manager who, unlike me, is actually senior enough to have a deluxe desk, neatly took over the conversation before I lost my temper; he asked the facilities team to try the same trick on his desk. The facilities team eventually conceded the point, understood the whole nature of the problem and resolved to go away and solve it for us.

They came back 10 days later having found a supplier that would create custom laptop-security cable-anchoring devices. They could rush the job through with a brief two-week lead time and charge us no more than $6.50 a piece.

That was when I finally decided that contacting our facilities team was probably not the simplest method and contacted my local hardware store. Three-inch washers cost about 65 cents each and do exactly the same job.

The High-Tech Approach

Another, slightly more technological mechanism we've used for laptops is the Indsol Tracer System from SmartWater Europe Ltd. in Newport, England. It uses SmartWater, a nonconductive "liquid forensic coding system" that is designed to be different for each SmartWater user customer and to be uniquely identifiable. It's manufactured by the British government's Forensic Science Service, which keeps a database of which batch belongs to whom.

We're starting to paint each of our laptops with this gizmo, so that if any is stolen and then recovered by the police, they should be able to identify it and return it no matter what's been done to it in the meantime.

We're not sure what to do about disk encryption at the moment. Windows 2000 provides file and disk encryption which would do the job very nicely, since it would require no extra software and (hopefully) be neatly integrated with the rest of the operating system. But we're not rolling Windows 2000 out to the users for at least a year.

Pretty Good Privacy (PGP) Version 5 would do the job, but previous experiences with PGP have shown that even though its interface is clear and simple, it's still too complex for some of our staff. We're going to take a hard look at PGP Version 7 in a few weeks to see if it can do the job.

The rest of my week has been spent closing off as many issues as I can before I spend the next two weeks concentrating exclusively on our software from Atlanta-based Internet Security Systems Inc. (ISS). We have six days of training on the software alongside our head office staff, a planning session on how we're going to use it, then a seminar on another company's implementation of the software.

I've got big plans for ISS's software. If it's really as versatile as it appears, then we're going to be able to use it to coordinate responses to a whole host of issues. I've heard nothing but good reports about the software ever since it came out, so I'm looking forward to coming to grips with it.

• This journal is written by a real security manager, whose name and employer have been disguised for obvious reasons. It's posted weekly at www.computerworld.com to help you and our security manager - let's call him Jude Thaddeus - better solve security problems. Contact Jude at jude.t@lycos.com or click on Computerworld.com's Security Watch community forum to participate in discussion topics.

Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon